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[57] ABSTRACT 

A method and a system for dpber key distribution realizing 
an effective prevention of the illegitimate use and the 
illegitimate charging. A key request signal containing a first 
random number generated at each user temiinal is transmit- 
ted from each user terminal to the fcey center, so as to 
indicate the cipher key required at each user terminal to the 
Imy center, and a terminal check signal containing a second 
random number generated at the key center is transmitted 
from the key center to each user terminal Then, a tenninal 
response signal containing the second random number and a 
vahie based on the first random number obtained according 
to the first random number generated at each user tenninal 
and the second random number contained in the terminal 
check signal is transmitted from each user tenninal to the 
key center, and the second random tiumber and the value 
based on the first random number contained in the tenninal 
response si^ial are chected at the key center, according to 
the second random number generated at the key center and 
the first random number contained in the key request signal, 
so as to confirm a legitimacy of an access from each user 
terminal Hien, a key distribution signal containing the 
c^iher key requested by the key request signal is transmitted 
from the key center to each user tenninal. only when the 
legitimacy of the access firom each user terminal is con- 
firmed. 

20 Claims, 12 Drawing Sheets 
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CIPHER KEY DISTRTOUnON SYSTEM 
EFFECTIVELY PREVENTING 
ILLEGITIMATE USE AND CHARGING OF 
ENCIPHERED INFORMATION 

BACKGROUND OF THE INVENTION 

1. Field of the lavcntion 

The present invention relates to a cipher ixy distribution 
system for distributing a cipher key from a bey center to an 
unspecified number of user terminals through a public 
network. 

2. Description of the Bacliground Art 
In a system farmed by a key center and an unspecified 

number of user terminals connected with the key center 
through a public network, an enciphered application (AP) 
and a terminal program necessary for utilizing this system 
are initially distributed to an unspecified nun^Tcr of user 
terminals either through the network or by the use of ■ 
information recording media. In such a system, in order to ^ 
decipher the AP, the key center distributes a certain cipher 
key (referred hereafter as an AP lay) to the user terminals. 

Now. such a system ideally should satisfy the following 
conditions. 

(1) A terminal program cannot be analyzed at the user 
terminal. 

(2) An AP key obtained at the user terminal and a program 
for deciphering the AP are protected' against an illegitimate 
use. 

(3) A cipher scheme of the enciphered AP whidi is 
distributed to the terminal users and a aphcr scheme for 
enciphering signals on commumcatioD lines have sufGcient 
seaecy. 

Id the following, a use of the AP by a tominal user 
without using a comiection with the key center through a 
legitimate protocol will be referred as an illegitimate use. 

In general, for the condition (3). there are some proposi- 
tions for a scheme which can guarantee a certain level of 
secrecy. However, for the conditions (1) and (2). there arc 
cases in whidi it may be difficult to adopt a scbemc relying 
on a specialized hardware for reasons such as that of cost, 
etc., and there is a need to provide a software based 
frotection scheme. In such a software based protection 
scheme, however, a level of protection is a matter of relative 
significance because the analysis of the terminal program is 
still possible in principle, and the acquisition of the AP key 
obtained at the user terminal is also still possible. 

In the above described system, depending on a protocol 
scheme used between the uso: terminal and the key center, 
the iUegitiriiate use by a malicious terminal user is possible 
by means of the tapping of signal on the communication line 
between the key centa and the user terminal. 

For exan^e. consider a conventional protocol scheme as 
shown in FIG. 1 in whldi the AP key is simply enciphered 
and distributed from the key center in response to the request 
for the AP key from the user tcrminaL This scheme will be 
referred hereafter as a conventional sdiemc A. 

In this conventional scheme A, at the usa terminal, the AP 60 
key request signal is produced by enciphering a user iden- 
tifier such as user ID. pass word. etc.. and an AP request data 
necessary for requesting a desired AP in a public key 
encqjhering scheme E using a public key Ke that was 
distributed in advance as a cipher key, and transmitted to the 
key center. Then, at the key center, the received AP key 
request signal is dcciphcFed by using a secret key Kd 
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corresponding to the public key Ke, and an AP key distri- 
bution signal is produced by enciphering a dec^hcr key (AP 
key) Kl of the requested AP in the public key enciphering 
scheme using a public key Ke' as a dpher lay, and trans- 
mitted to the user tominal, while charging the fee for the 
requested AP to the user. Then, at the user tarainal, the AP 
key distribution signal is dedphered by using a secret key 
Kd' corresponding to the public key Ke' that was distributed 
in advance, to obtain the AP key Kl of thedesircd'AP. In this 
procedure, the transmission of the user identifier from the 
user terminal to the lay center may be omitted 

Here, it is noted that the secret key endphering scheme is 
a scheme in which the cipher key and the dedpher key are 
the same, whereas the public hsy endphering sdieme is a 
scheme in whidi the dpher key and tiie dedpher key are 
different. In the conventional scheme A described above, the 
public key endpherii^ scheme is used, but if the key can be 
shared secretly and safely in some manner at the beginning, 
it is also possible to consider a case of using the secret key 
endpheri[^ scheme instead of the public key enc4)hcring 
scheme. 

In this conventional scheme A, even when the system 
satisfies aU the conditions (1) to (3) noted above, it is still 
possible to make the legitimate use of the AP as follows. 
Namely, the key cent^ transmits the same AP key for the 
same AP, so that the same AP key distribution s^nal is going 
to be transmitted through the communication line every time 
the same AP is requeued. Consequently, the ille^timate use 
is possible by recording the AP key distribution signal at a 
time of connecting with the key center once, and forming a 
dummy key center which rcf^oduces the recorded AP key 
distribution s^nal. In other words, this is an Lllegttimate use 
of the AP by a fake key center using communication line 
t^yping and recording. 

This type of ttie illegitimate use is effective in a case of 
using the charging method in which each time of the use of 
the APis charged separately. In such a case, the user terminal 
is going to receive the same AP key distribution sigtial for 
every time of the use of the same AP, so that it is possible 
to make the legitimate use in the first occasion in order to tap 
and record the AP key distribution signal, and input the 
recorded signal into the user terminal without connectmg 
with the key center in the subsequent occasions. 

Note however that, in this type of the illegititnate use, it 
is necessary to make the legitimate connection with the key 
center in the first occasion at least. For this reason, in a case 
of using the charging method in whidi the AP software itself 
is sold once and for all. this type of the illegitimate use is 
iii^>ossibIe, because in such a case, the same AP key wiU 
never be recdved again once the key for the AP is received 
from the key center at the user tcrminaL 

On the other hand, in order to deal with this type of the 
illegitimate use, consider another conventional jn'otocol 
scheme as shown in FIG. 2 in which the user terminal 
generates a random number and transmits that to the key 
center, and the key center enc^}hers and distributes the AP 
key according to the received random number. This scheme 
will be referred hereafter as a conventional scheme B. 

In tills conventional scheme B. at the user terminal, the AP 
key request signal is produced by endphering a user ideo- 
tifier such as a user ID, pass word, etc.. an AP request data 
necessary for requesting a desired AP, and a random number 
K3 generated at the tenninal in a public key enciphering 
. scheme E using a pubtic lay K2e that was distributed in 
advance as a dpher key, and transmitted to the key center. 
Then, at the key center, the recdved AP lay request signal 
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is deciphered by using a secret key K2d conespoDdiiig to the 
public key K2c. and an AP key distributxoa signal is pro- 
duced by enciphering a decipher key (AP key) Kl of the 
requested AP in the secret fcey enciphering scheme E using 
the random number K3 as a cipher key, and transmitted to 
the user terminal. Then, at the user taminal. the AP key 
distribution signal is deciphered by using the random num- 
ber K3 generated earlier, to obtain the AP key Kl of the 
desired AP. In this proccdm'e. the transmission of the user 
identifier irom the user terminal to the key center may be 
omitted. 

According to this conventional scheme B. a different 
signal flows through a communication line each time, so 
that, when the system satisfies the conditions (1) to (3) noted 
above, even if a third person intending the illegitimate use 
of the AP produces a duimny key center by tapping and 
recording the signal on the communication line and inputs 
the recorded signal into own terminal program, whether the 
inputted signal is enciphered by the same random number as 
that which was generated earlier at that user terminal or not 
is checked inside the user terminal, so that it is impossible 
to make the above described illegitimate use of the AR 

However, in this conventional sdieme B. even when the 
conditions (1) to (3) noted above arc satisfied, it is still 
possible to make the following illegitimate adion whidi is 
different from the above described illegitiraate use of the AP. 

Namely, the third person can tap and record the signal 
from a legitimate user terminal to the key center, and then 
transmits the recorded signal to the key center later on. Here, 
if the public network used in this service is a type which does 
not have a function for confirming a calling side ID as in a 
case of the telephone network, it is possible to reproduce an 
infoimatioD transmitted from the user terminal to the key 
center for the purpose of authenticating the calling side, by 
tapping and recording of the signal on the communication 
line in principle. When the AP key request signal from the 
user terminal is received, the key center transmits the AP key 
distribution signal corresponding to that and charges the fee 
for the requested AP to the user when the requested AP is a 
chargeable one. 

In this manner, the third person can makes the key center 
to transmit an unnecessary AP key to the legitimate user, and 
charge unnecessary fees to the iegitimflte user. In other 
words, this is an illegitimate charging by a fake user terminal 
using conmiunication line tapping and recording. 

Moreover, as already mentioned above, the conditions (1) 
and (2) noted above may not necessarily be satisfied com- 
pletely all the times. In particular, in a case of using a 
protection based on the software technique, the analysis of 
the terminal software is often possible in fffinciple albeit not 
so easy. ^ 

In such a case, the tapping and the recording of the signals, 
on the communication line is the easiest thing one can do 
toward the program analysis. This is because when the 
meaning of the input output signals of the terminal program 
are analyzed, it is possible to reveal the function of the 
terminal p-ogram itself. 

For example, for the conventional scheme B described 
above, the following procedure is predictable. First, the 
legitimate use of the AP is made, and the analysis of the 
meaning is carried ouL The enciphered AP is disposed at 
hand of the terminal user from the beginning and it does not 
change in time, so that the AP key for deciphering the same 
AP also does not change in time. On the other hand, by 
means of the tapping of the communication line, it can be 
recognized that the received signal of the terminal program 
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is different for the same AP each time, so that it can be 
recognized that the received signal is changed in some 
manner such as that which uses a random number. 

Here, however, in order for the user terminal side to obtain 
the AP key by deciphering the received signal, it is necessary 
to learn a rule by which this constantly changing received 
signal is changing. In this regard, in the conventional 
scheme B, the signals are exchanged only once, so that it is 
evident &at the user terminal side is specifying this rule for 
10 change at first Consequently, by checking the rule for 
change specified by the terminal program, it is possible to 
obtain an information useful for the purpose of the illegiti- 
mate use. 

In the conventional scheme B, when the terminal program 
is analyzed from such a viewpoint even if the content of the 
signal itself cannot be revealed as it is enciphered, the 
meaning of each signal can be determined almost uniquely 
by conjecturing from the fact that the AP key itself does not 
change and the fact that the signals actually transmitted and 
received change. TTius, except for a case in which the 
analysis is in^ssible in principle, the diflEculty in the 
analysis can be reduced considerably in diis manner. 

As described, a mere endpherment of the information on 
the communication line, and a simple variation of the signal 
on the communicarion Une based on a random number are 
insufBcient in coping with the problems of the illegitimate 
use and the Illegitimate charging described above. 

Furthermore, in a case of realizing a protection of the 
terminal program by means of software alone, without any 
hardware based protection, the analysis can be made difficult 
at best and it remains possible in principle in many cases. 

The user intending the illegitimate use of the AP can carry 
out the tapping and tfie recording of the signals on the 

35 communication line by using his own user terminal, for the 
purpose of analyzing the terminal program. In this case, by 
tapping and reccffding the signals between the user termind 
and the key center for several times and simply comparing 
. these recorded signals, an inform^on useful for the purpose 

4Q of analyzing the taminal program can be obtained. 

Thus, in a simation in which the terminal program analy- 
sis or the illegitimate action using intermediate communi- 
cation Une tapping and recording by a malicious terminal 
user is possible, a mae endpherment of the signal on the 

45 communication line or a complication of the terminal pro- 
gram itself is insufScient as the protection against the 
illegitimate use, and it is necessary to deal with the problems 
of the illegitimate use and the illegitimate charging based on 
the production of the dummy key center or user terminal and 

50 the simplification of the analysis of the terminal program. 

SUMMARY OF THE INVENTION 

It is therefore an object of the present invention to provide 
a cipher key distribution system capable of realizing a safe 
53 cipher key distribution and an effective prevention of the 
illegitimate use and the illegitimate charging, by preventing 
the production of the dummy key center or user terminal 
while providing little hints for the analysis of the terminal 
program. 

60 According to one aspect of the present invention there is 
provided a method of cipher key distribution in a system 
formed by a key center having a cipher key to be distributed 
and a plurality of user tenninals connected with the key 
center through a public network, the method comprising the 

65 steps of: (a) transmitting a key request signal containing a 
first random number generated at each user terminaL from 
each user terminal to the key center, so as to Indicate the 



09/16/2004, EAST Version: 1.4.1 



5,651,066 

5 6 

cii^ier key required at each user tenninal to the key center; random number; means for producing the terminal response 

(b) transmitting a terminal check signal containing a second signal containing the second random number contained in 

random number generated at the lay center, from the fccy the terminal check signal and the value based on the first 

center to each user terminal; (c) transmitting a terminal random number; and means for obtaining the cipher key 

response signal containing the second random number and a 5 from the key distribution signal received from the key 

value based on the first random number obtained according center; and wherein the key center includes: means for 

to the first random number generated at each user terminal receiving the key request signid from each user terminal, 

and the second random number contained in the terminal transmitting the terminal check signal to each user termina^ 

check signal, from each user terminal to the key center; (d) in «sponse to the key request signal, receiving the texminal 

checking the secondrandom number and the value basedon 10 response Mgnal from each user 5^1^?/^.^^^^^ 

the first random nmnber contained in the terminal response T'TT^^t S^th^^SSS 

. , ™ : . J- . ,»^^™ signal to cadi user tenmnal m response to the terminal 

signal at the key cent«, accordmg to the second random B obtaining^e first random num- 

number generated at the key center and the first random ^cr from the key request signal r«:cived from each user 

number contained in the key request signal, so as to confirm ^acaos for generating the second random number, 

a legitimacy of an access from each user terminal; and (e) 15 ^^^^ ^^j. p^ducing the terminal check signal containing 

transmitting a key distribution signal containing the apher ^^^^^^ random number; means for obtaining the value 

key requested by the key request signal, from the key ccntw hisad on the first random number and the second random 

toeachuserterminal,onlywhenthelegitinjacyoftheaccess number from the terminal response signal received from 

from each user terminal is confirmed at the step (d). ^^^^ tenninal; means for checking the second random 

According to another aspect of the present invention there 20 number and the value based on the first random number 

is provided a cipher key distribution system, comprising: a contained in the terminal response signal, according to the 

key center having a cipher key to be distributed; a plurality second random number generated at the key center and the 

of user terminals cormected with the key center through a fijst random number contained in the key request signal, so 

public network; key request means, provided in each user as to confirm a legitimacy of an access from each user 

terminal, for transmitting a key request signal containing a 23 terminal; and means for producing die key distribution 

first random number generated at each user tenninal, from signal containing the cipher key requested by the lay request 

each user terminal to the key center, so as to indicate the signal, only when the Intimacy of the access from each 

cipher key required at each user terminal to the key center; user tenninal is confirmed by said means for checking, 

tenninal check means, provided in the key center, for q^^^^ features and advant^es of the present invention 

transmitting a terminal check signal containing a second 30 become apparent from the foUowii^ description taken 

random number generated at the key center, from the lasy conjunction with the accon^anying drawings. 

center to each user terminal; terminal response means, ■ „ 

provided in each user terminal, for transmitting a terminal BRIEF DESCRimON OF THE DRAWINGS 

response signal containing the second random number and a FIG. 1 is a chart showing a flow of processing between a 

value based on the first random number obtained according 35 usa- terminal and a lay center in one example of a conven- 

to the first random number genaated at each user termini tional cipher key distribution scheme. 

and the second random number coirtained in ttie terminal piG. 2 is a chart showing a flow of processing between a 

check signal, from each user terminal to the key center; user terminal and a bey center in another exan:q>Ie of a 

check means, provided in the key center, for checking the conventional cipher key distribution scheme. 

second random number and the value based on the first 40 yIG. 3 is a schematic block diagram showing an overall 

random nundjcr contained in the terminal response signal configuration of one embodiment of a cipher bey distribu- 

according to the second random number generated at the key ^jq^ system according to the present invention. 

center and the first random number contained in the key pjQ 4 ^ block diagram of a user terminal in the c^her 

request signal, so as to confirm a legitimacy of an access distribution system of FIG, 3. 

from each user tenninal; and key disttibution means, pro- 45 g^^^ ^lock diagram of a key center in the cipher key 

vided in the key center, for transmittuig a key distribution <^stribution system of HG. 3. 

signal contaiidng the cipher key requested by the key request ' of processing between a 

signal, from the key center to e^ user tmrnnd. only when ^ ^ key distribution 

the legitimacy of the access fiom each user temunal is systemof FIG 3 f ^ 

confirmed by the check means. so ^ ^ ^ ^ 

Accordmgtoanothcraspert^^^^^ andakeycenterinthedpherkeydistiibutionsystemofna 

is provided a ajAta key distribution system, compnsing; ^ -i j ■> 

kKV center having a cipher key to be distributed; and a * , . . u 

plurality of user Termini connected with tiie key center ^0; » "J ^ ^^^"^f^ ^ ^f'^f Processing to be 

Suough a pubUc network; wherein each user ierminal « camj^ out between a user terming and a key 

includes: mLns for transmitting a key request signal to the modification of tiie cipher key distnbuUon system of HG. 3. 

key center, receiving a temunal check signal from tiie key HG. 9 is a chart showing a flow of processmg to be 

center in response to the key request signal, transmitting a carried out between a user tenmnal and a key center in 

tenmnal response signal to the key center in response to the anotiier modification of tiie cipher key distiibution system of 

terminal check signal, and receiving a key distribution signal 60 3. 

from the key center in response to tiie texminal response FIG. 10 is a chart showing a flow of processing to be 

signal; means for generating a first random number, means carried out between a user terminal and a key center in 

for producing the key request signal containing the first another modification of the C4)her key distribution system of 

random number, for indicating the d|)her key required at FIG- 3. 

each user terminal; means for obtaining a second random 65 FIG. 11 is a schematic block diagram of a software sales 
number from the terminal dieck signal received from the system utilizing the cipher key distribution metiiod accord- 
key center; means for obtaining a value based on the first ing to the present invention. 
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FIG. 12 is a block diagram of a CD-ROM manufacturer 
terminal in the software sales system of FIG. 10. 

DETAILED DESCRIFnON OF THE 
' PREFERRED EMBODIMENTS 

Now. one embodimeDt of tbe cipher key distribution 
system according to the present invention will be described 
in detail. 

In this embodiment, the cipher key distribution system 
has an overaU configuFation as shown in FIG. 3, which 
comprises a key cent^ 1 having a cipher key (referred 
hereafter as AP key) to be distributed, and a plurality of user 
termiaais 5 connected with the key center 1 dirough a pubUc 
network 3. In this system of FIG. 3, when the AP key 
becomes necessary at the user temiinal 5, the user terminal 
5 is connected with the key center 1 du'ough the public 
network 3 so as to receive the distribution of the AP key 
from the key center 1, 

Each user terminal 5 has a configuration as shown in FIG. 
4. which comprises a key management unit 51, a random 
number generatcu' 52. a multi-value function unit 53, an 
enciphering device 61. a deciphering device 62. and an 
enciphering device 63, a deciphering device 64, all of which 
are mutually connected, and a coirnnunication line control 
unit 65 which is connected with the endjAcring and deci- 
phering devices 61, 62, 63. and 64 on one hand and with the 
public network 3 on the other hand. Functions of these 
elements of the user terminal 5 wiU be described in detail 
below. 

Also, the key center 1 has a configuration as shown in 
FIG. 5, which comprises a key management unit 11, a 
random number generator 12, a multi- value function unit 13. 
an AP key database 14. a deciphering device 21, an enci- 
phering device 22. a deciphering device 23, and an enci- 
phering device 24, which are mutually connected, and a 
communication line control unit 25 which is connected with 
the deciphering and enciphering devices 21, 22, 23, and 24 
on one hand and with the public network 3 on the other hand. 
Functions of these elements of the user terminal 5 will be 
described in detail below. 

FIG. 6 shows a flow of processing among the user 
terminal 5 and tbe key center 1 in this embodiment In FIG. 
6. a symbol E(X, Y) indicates a signal in which X is 
enciphered in the public key enciphering scheme E using a 
key Y. and a symbol E'(X, Y) indicates a signal in which X 
is enciphered in the secret key enciphering scheme E' using 
a key Y. In this embodiment, it is assumed that the user 
terminal 5 has a public key K2e firom the beginning. 

Now, the flow of processing shown In FIG. 6 will be 
described according to the flow chart of FIG. 7. In this flow 
chart of FIG. 7, steps indicated by double lined boxes belong 
to the processing at the key center 1. while steps indicated 
by single lined boxes belong to the processing at the user 
terminal 5. 

First, in tbe initial state, the user terminal 5 sets up and 
stores the public key K2e in the key management unit 51 
(step 501). while the key center 1 sets up and stores the 
secret key K2d carresponding to the public key K2e in the 
key management unit 11 as well as tbe AP keys to be 
distributed to the user tenninals 5 in the AP key database 14 
(step 502). 

When the user terminal 5 requires the AP key Kl. a 
random number K3 is generated at the random number 
generator 52. and a signal E(K3. K2e) c^tained by enci- 
phering the generated random number K3 by using the 
public key K2e stored in the key management imit 51 at the 



endpheiing device 61 is transmitted as an AP key request 
signal from the communication line control unit 65 to the 
key center 1 (step 503). 

At this point, if the user identifier sudi as a user ID, pass 
3 word, or both of them, etc is also required, it is endphcred 
and transmitted along with the random nimiber K3. but this 
transmission of the user Identifier may be omitted. 

In the key center 1 which received the AF key request 
signal the random number K3 is dcdphcred by using the 
seaet key K2d stored in the key management unit 11 at the 
dedpheiing device 21. Then, a random number K4 is 
generated at the random number geno-ator 12, and a signal 
E'(K4, K3) obtained by enciphering the generated random 
number K4 by using the deciphered random number K3 at 
the endphering device 22 is transmitted as a terminal check 
signal from the comniunication line control unit 25 to the 
user terminal 5 (step 504). 

Here, which AP key of which AP is requested by the user 
terminal 5 is indicated In the AP key request signal described 
^ above, and the key center 1 can recognize this information 
from the received AP key request signal. 

Li the USQ* terminal 5 which recdved the terminal check' 
signal, tbe random number K4 is dedphered by using the 
^ random number K3 at the deciphering device 62. In 
addition, this random number K3 is inputted into the multi- 
value function unit 53. and an arbitrary one of Its outputs K3' 
is obtained. Then, a signal E(K3*+K4. K2e) obtained by 
endphering the decohered random number K4 and multl- 
^ value function output K3' by using the public key K2e at the 
endf^cring device 63 is transmitted as a terminal response 
signal to the key center 1 (step 505). 

In the key center I whldi recdved the terminal response 
signal, the random number KA and the multi-value function 
ou^ut K3' are dec^^hercd by using the seaet key K2d at the 
deciphenog device 23 (step 506). Then, whether the deci- 
phered random number K4 coincides with that which was 
generated earlier at the random number generator 12 or not 
is checked (step 507). If it coinddes. the random number K3 
^ is inputted Into the multi-value function unit 13 and whether 
the dedphered multi-value function ouqiut K3' exists among 
a set of outputs produced by the multi-value function unit 13 
or not is checked (step 508). If it exists, ic., when these two 
conditions of the steps 507 and 508 are satisfied, it is Judged 
as a legitimate access from aproper user terminal, so that the 
requested AP key Kl is taken out from the AP key database 
14, and a signal E'(K1, K3'-i«4) obtained by enciphering 
this AP key Kl by using the random number K4 and the 
multi-value function output K3' at the encq)hering device 24 
is transmitted as an AP key distribution signal to tbe user 
terminal 5 Sstep 509). 

On Uie other hand, when cither one of the two conditions 
' of the steps 507 and 508 is not satisfied. It is judged as an 
illegitimate access from an improper user terminal, so that 
55 the conuuunication is disconnected (step 511). 

Finally, in the user teonlnal 5 which recdved tbe AP key 
distribution signal, the AP key Kl is obtained by deciphering 
the received AP key distribution signal by using tbe random 
number K4 and the multt-value function ou^ut K3' at the 
60 dedphering device 64 (step 510). 

Now. the effect of the dpher key distribution system of 
this embodiment will be described. 

As already mentioned above, in a situation In whidi the 
Illegitimate action using intermediate communication line 
65 tapping and recording by a malidous terminal user is 
possible, a mere encipheiment of the signal on the conunu- 
nication line is insuffident as the protection against the 
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illegitimate use. In view of this fact, the effect of the present 
invention is to prevent the illegitimate charging by tfic fake 
user terminal using the tapping and recording of the signals 
on the intermediate communication line, as well as a mean- 
ing analysis of the signals which can be a powerful and 
easily obtainable supporting material for the analysis of fhe 
terminal program. 

In the system which satisfies the conditions (1) to (3) 
noted above, suppose that a third person intends to make the 
illegitimate charging to a certain terminal user by means of 
the fake user terminal using the tapping and recording of the 
signals on the communication line. Namely, the third person 
taps and records the signals on the communication line while 
this terminal user carries out a normal legitimate use of the 
AP, Then, the third person transmits the ou^ut signal of the 
terminal user side to the key center again later on. 

However, according to this embodiment, the signals are 
exchanged twice for each use of the AP. so that it is 
necessary for the third person to transmits two signals in an 
order, but the tey center 1 generates a random number each 
time, so that the random number at a time the signal is 
recorded by the third person will be different from the 
random number at a time the illegitimate charging is 
attempted, and it is possible for the key center 1 to notice 
that some illegitiniate action has been atten^ted. 

Next, in the system which satisfies the condition (3) noted 
above, but not ttie conditions (1) and (2) completely, sup- 
pose that the terminal user intending to make the meaning 
analysis of the signals carried out a normal le^timate use of 
the AP several times, and attempted to tap and record the 
signals on the communication line to analyze theoL 

However, according to this embodiment, the signals are 
exchanged twice, so that it is impossible to know whidi 
iaformation is carried by which signaL before analyzing the 
terminal program itself. Also, as the condition (3) is 
satisfied, it is also impossible to decipher the signal itself. 
Consequently, the meaning of the signal cannot be deter- 
mined uniquely by a simple tapping of the conmumication 
line, and therefore the dtfSculty in the analysis of the 
terminal pro-am cannot be reduced. 

Also, according to this embodiment, the multi- value func- 
tion ou^ut K3' is generated from the random number K3. By 
means of this, the multi-value function output K3' which is 
transmitted from the user terminal 5 to the key center 1 as 
the teiminal response signal will not be uniquely detcimined 
in total dependence to the random number K3 so th^ even 
when the random number K3 is identified in some manner, 
and the signal E(K4. K3) is identified by the recording, the 
terminal response signal E(K3'-HK4, K2e). whidi is the 
second output of the terminal program, cannot be identified, 
On the other hand, the key center 1 has the same multi-value 
function, so that it is possible to check whether the multi- 
value function output K3' obtained from the received ter- 
minal response signal E(K4fK3'. K2e) was generated from 
the random number K3 or not. and therefore it is possible to 
confirm that the currently communicating terminal program 
is a proper one originaily provided. 

Here, the multi-value frinction is a function whidi ou^uts 
a plurality of fixed values with respect to one iJ^L Thus, 
when the same value is inputted, a set of the ou^ut values 
is always identical For exan^le. it is possible to use a 
fiinction F by which a certain number r (0^r^99) is put in 
correspondence with a set of all numbers r* (O^r'^9999) for 
which the residue witii respect to N=100 is equal to r. In 
order to apply this function F to the above desolbed 
embodiment, it suffices to set r=K3, and r'=K3'. 



,066 

10 

As a concrete example, in a case of p=3$. the ou^uts of 

the multi-value function will be a set F(38)={38, 138 

9938}. It su£ELCes for the user terminal S to transmits just one 
of these outputs to the key center 1. so that it actually suffices 
5 to generate a random number R (0^Rg99). and calculate 
r'=10aR+r in this case. For instance, if R=22, r'=2238=( lOOx 
22>f3$ will be transmitted. 

At the key center 1 side, it suffices to carry out the mod 
too calculation f<x the received r*. and the comparison with 
10 r already received earlier, to sec if i=i'. If r'=2238 is actually 
received, i^2238=38 (mod 100). so that in comparison with 
n=38 already received earlier, it can be confirmed that r^^ 
indeed, 

!tt is to be noted that the above described embodiment can 
be modified in the following manners. 

Namely, it is possible to realize modified embodiments by 
changing the data to be used as an enciphering key or by 
changing the data to be encqihered. 
^ In particular, after the key center 1 and the user terminal 

5 shared the same key information, it becomes possible to 
carry out the communication by using the secret key enci- 
phering scheme in whidi the enciphering key and the 
deciphering key are the same, so that at the step of trans- 

^ mitting the AP key distribution signal in FIG. 6, in enci- 
phering the AP tey Kl and transmitting it from the loey 
center 1 to the user terminal 5, K3'-i£4 used as an enci- 
phering key for enciphering the AP key Kl can be replaced 
by K3' alone, K4 alone, or K3 alone. For instance, as shown 
in FIG. 8. the AP key distribution signal can be obtained by 
enciphering the AP key Kl by using K3' alone as an 
enciphering key, instead of K3'-HK4 used in FIG. 6. 
Similarly, the embodiment using K4 alone or K3 alone can 
also be realized in obvious manners. 
35 On the other hand, in order to confirm that the program 
operating on the user terminal 5 is a program from whidi an 
access is expeded at the key center 1 side, it is also possible 
to use means other than tiie multi-value function. For 
example, the confirmation at tiie key center 1 side can be 
4Q done by embedding some secret charader string in the 
terminal program in advance, and returning diat secret 
character string from the user terminal 5 to the key center 1. 
In this case, the multi-value function output K3' used in FIG. 

6 is obviously unnecessary, so that as shown in FIQ. 9, the 
45 random number K3 can be used instead of the multi-value 

function outfHit K3' in the tenninal response signal and the 
AP key distribution signaL 

In addition, it is also possible to realize modified embodi- 
ments by changing a combination of the public key end- 
50 phering scheme E and fhe secret key endphering scheme E' 
used in endphering the signals between the Issy center 1 and 
the user terminal S. 

For exanqile. In a case the endphering and/or decohering 
speed is faster for the secret key endphering sdieme E' than 
53 for the public key endpherii^ sdteme H, as shown in FIG. 
10. it is possible to replace the use of the public key 
endphering scheme E utilized in obtaining the endphered 
terminal response signal E(K3'-hK4, K2e) in FIG. 6 by a 
seaet key endphering scheme E' using the random number 
60 K4 as a key to obtain the enciphered terminal response 
signal E(K3'4-K4, K4), sudi that the public key endphering 
scheme £ is used for enciphering the first AP loey request 
signal from the user terminal 5 to the key center 1 alone, and 
the secret key endphering scheme E* is used for enciphering 
65 all the odier signals. In this case, it is unnecessary to supply 
the public key K2e to the encqihering device 63 on the user 
terminal 5 side, while it is necessary to supply the random 
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number K4 generated at the key center 1 to the deciphering 
device 23 instead of the secret key K2d on the Itey center 1 
side, as indicated in FIG. 10. 

Next, an exemplary software sales system utilizing the 
cipher key distribution method of the present invention as 
described in the above embodiment will be described. 

In this software sales system, a software to be sold is 
enciphered and stored in a CD-ROM. Then, a user who 
purchased this CD-ROM installs this CD-ROM into his own 
user terminal and selects the desired software. After the 
selection, the user calls up the key center from the user 
terminal through a modem device, and receives the key for 
deciphering the selected software in exchange to the pay- 
ment of the fee. such that the desired software can be 
deciphered and used thereafter. 

This software sales system has an overall configuration as 
shown in FIG. 11. in which a user terminal 44 and a key 
center 45 are connected with each other through a public 
network. Also, a CD-ROM manufacturer terminal 42 and the 
key center 45 arc connected with each other through a public 
network or LAN. A chargeable information is provided fi-om 
an information provider 41 to the CD-ROM manufacturer 
teiminal 42, and the CD-ROM manufacturer then manufac- 
tures a CD-ROM 43 in which this chargeable information is 
enciphered and stored at the CD-ROM manufacturer termi- 
nal 42, and distributes it in the market. 

The CD-ROM manufarturer terminal 42 has a schematic 
configuration as shown In FIG. 12. which con^rises an 
enciphering device 47 and a CD-ROM manufacturing 
device 48. The enciphering device 47 enciphers all the 
softwares of the chargeable information received from the 
information provider (IP) 41 one by one. by using a different 
AP key Kl for each software. At this point a unique 
identiiication number ID is assigned to each software. Hie 
key center 45 manages an information indicating correspon- 
dences between the identification numbers assigned to the 
softwares and the AP keys used in enciphering the softwares. 
The CD-ROM manufacturing device 48 manufactures the 
CD-ROM 43 by storing the enciphered softwares outputted 
from the enciphering device 47, a public key K2e provided 
from the key center 45. and a sales guidance program to be 
activated by the user in order to select the desired software, 
altogether in one CD-ROM. 

Now. a procedure for manufacturing the CD-ROM will be 
described in further detaiL 

When the information provider (IP) 41 hands over the 
softwares to be sold to the CD-ROM manufacturer, this 
CD-ROM manufacturer assigns a unique ID to each soft- 
ware received from the information provider 41. 

Then, eadi software is separately enciphered by using an 
AP key Kl in correspondence to the ID of each software, 
and stored in the CD-ROM 43. (Note that all the AP keys are 
represented by the same symbol Kl here for the same of 
sin^Ucity, although there are as many different AP keys as 
a number of softwares to be enc^hered.) At the same time, 
the CD-ROM manufacturer also produces a correspondence 
table between the IDs of the softwares and the AP keys used 
in enciphering these softwares. Then, the manufactured 
CD-ROM 43 is distributed in the market, while the coire- 
spondence table is sent to the key center 45. 

Now. a procedure for purchasing the software stored ia 
the distributed CD-ROM 43 will be described in further 
detail. 

The user at his own user terminal 44 purchases the 
CD-ROM 43 manufactured as described above, and installs 
it into a CD-ROM system of the user terminal 44. Then, the 
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user activates the sales guidance program stored on the 
CD-ROM 43.and selects the desired software. (Internally, 
the ID of the desired software is selected at this point) 
"When the desired software is selected, the user terminal 

5 44 is connected with the key center 1 through the public 
network. Then, the user terminal 44 obtains the AP key Kl 
from the key center 45 accordir^ to the cipher key dislri- 
bution method of the above embodiment and reads out and 
deciphers the enciphered software at the CD-ROM system. 
Here, in this example, the ID of the software selected by the 
user is enciphered along with the random number K3 by 
using the public key K2e at the encipheriug device 61 of the 
user terminal as shown in FIG. 4, and the resulting AP key 
request signal is transmitted to the key center 45. At the key 
center 45. using the ID of the requested software obtained by 
deciphering the received AP key request signal, the corre- 
sponding AP bey Kl is retrieved from the AP key database 
14 of the key center as shown in FIG. 5, and the retrieved AP 
key Kl is given to the user terminal 44 by the procedure of 
FIG. 6 for example, while diarging the appropriate fee to 

20 this user. 

As described, according to the present invention, the 
random numbers are geno'ated at both of the user terminal 
and the key center, so that the signals between the key center 
and the user terminal can be ctmnged in each access, and it 

25 is possible to check whether the a&tr terminal is a fake one 
or not by enciphering the random number generated at the 
key center and making the user terminal to return this 
random number by correctly deciphering it. In addition, by 
inputting the random number into the multi-value function at 

3Q the user terminal side, it is possible to prevent the signal 
between the key center and the user terminal from being 
identified even when the random number generation source 
is identified, so that it becomes impossible to draw up a 
block diagram of the teiminal program ftinction in order to 
analyze the processing content of the terminal program. 

Consequently in distributing the cipher key from the key 
center to the user terminal, the cipher key can be protected 
against the taping of the intermediate communication line 
by a malicious terminal user, wtule it Is difQcult to extract 

^ any significant hint for analysis of the terminal program 
from the tapping result so as to realize a protection against 
the falsification of the terminal program, and therefore it 
becomes possible to realize a safe cipher key distriburion 
and an effective prevention of the illegitimate use and the 

45 illegitimate charging by means of ttie production of the 
dummy key center or user terminal. 

It is to be noted here that, besides those already mentioned 
above, many modifications and variations of the above 
embodiments may be made without departing from the 

50 novel and advantageous features of the present invention. 
Accordingly, all such modifications and variatioas are 
intended to be included within the scope of the appended 
claims. 
What is claimed is: 

55 1. A method of cipher key distribution in a system formed 
by a key center having a cipher key to be distributed and a 
plurality of user terminals coimected with the key center 
through a public network, the method comprising the steps 
of: 

60 (a) transmitting a key request signal containing a first 
random number generated at each user terminal, from 
eadi user terminal to the key center, so as to indicate 
the cipher key required st each user terminal to the key 
center; 

65 (b) transmitting a terminal dieck signal containing a 
second random number generated at the key center, 
from the key center to eadi user terminal; 
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(c) transmitting a terminal response signal containing the 
second random number and a value based on the first 
random number obtained according to the first random 
number generated at each user terminal and the second 
random number contained in the terminal check signal, 
from each user terminal to the key center, 

(d) checldog the second random number and the value 
based on the first random numba contained in the 
terminal response signal at the key center, according to 
the second random number generated at the key center 
and the first random number contained in the key 
request signal, so as to confirm a legitimacy of an 
access from each user terminal; and 

(e) transmitting a key distribution signal containing the 
cqjher key requested by the key request signal, from the 
key center to each user terminal, only when the legiti- 
macy of the access from each user terminal is con- 
firmed at the step (d). 

2. The method of daim 1. wherein at the stq> (a), the key 
request signal is produced at each user terminal by enci- 
lAicring the first random number by using a public key, and 
the key center obtains the first random number by dedi*er- 
ing the key request signal by using a secret key correspond- 
ing to the public key. 

3. The method of claim 1. wherein at the step (b), the 
terminal check signal is produced at the tey center by 
enciphering the second random number by using the first 
random number contained in the key request signal, and 
each user terminal obtains the second random nimiber by 
deciphering the terminal check signal by using the first 
random number generated at each user terminaL 

4. The method of claim 1, wherein at the step (c), the 
terminal response signal is produced at each user terminal by 
enciphering the second random number contained in the 
terminal check signal and the value based on the first random 35 
number by using a public key, and the key center obtains the 
second random nuniber and the value based on the first 
random number contained in the terminal response signal by 
dcc^jhering the terminal response signal by using a secret 
key corresponding to the public key. 

5. The method of claim 1. wherein at the step (c). the 
value based on die first random number is a multi-value 
function output obtained at each user terminal by inputting 
the first random number into a multi-value ftinction and 
selecting one of multiple outputs of the multi-value function. 

6. The method of claim 5. wherein at the step (d), the 
value based on the first random number is diecked at the key 
center by inputting the first random number contained in the 
key request signal into the multi-value function and com- 
paring the value based on the first random number contained 50 
in the terminal response signal with the multiple ou^uts of 
the multi-value function. 

7. The method of claim 1. wherein at the step (c). tiie 
value based on the first random number is the first random 
number itself. 

8. The method of claim 1. wherein at the stq) (c), tiic key 
distribution signal is produced at the key center by enci- 
I^ering the cipher key by using the second random number 
and the value based on the first random number contained in 
the tenninal response signal, and each user terminal obtains 
the cipher key by deciphering the key distribution signal by 
using the second random number contained in the terminal 
dieck signal and the value based on the first random number 
obtained at eadi user terminal. . 

9. The metiiod of claim 1. wherein at the step (e), the lay 
distribution signal is produced at the key center by enci- 
phering the cipher key by using any one of the first random 
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number contained in the key request signal, the second 
random number generated at the key center, and the value 
based on the first random number contained in the terminal 
response signal, and each user terminal obtains the cipher 
key by deciphering the key distribution signal by using any 
one of the first random number generated at each user 
terminal, the second random numba* contained in the ter- 
minal check signal, and the value based on the first random 
number obtained at each user terminal, 

10. The method of claim 1, wherein flie steps (a), (b), (c). 
(d). and (e) include the steps of: 
(al) generating the first random number and enciphering 
the first random number by using a public key to 
produce the key request signal at each user terminal; 
(a2) transmittti^ the key request signal produced at the 

step (al) from each user terminal to the key center; 
(a3) obtaining the first random number at the key center 
by deciphering the key request signal transmitted at the 
step (a2) by using a secret key corresponding to the 
public key; 

(bl) generating the second random number and enc^ihcr- 
ing the second random number by using the first 
random number obtained at the step (a3) to produce the 
terminal check signal at the lay center; 
(b2) transmitting the terminal dieck signal produced at 
the stq> (bl) bom the key center to eadi user tenninal; 
(b3) obtaining the second random number at each user 
tenniual by deciphering the terminal check signal trans- 
mitted at tiie step (b2); 
(cl) obtaining a multi-value function output by inputting 
the first random number into a multi- value function and 
selecting one of multiple outputs of the multi-value 
function at each user tenninal; 
(c2) enc^jhering titc second random number obtained at 
the step (b3) and the multi-value function output 
obtained at the step (cl) by using the public key to 
produce file terminal response signal at each user 
tmnlnal; 

(c3) transmitting the tenninal response signal produced at 
the step (c2) from cadi user terminal to the key center; 
(c4) obtaining the second random number and the multi- 
value function output contained in the terminal 
response signal at the key center by deciphering the 
terminal response signal transmitted at the step (c3) by 
using the secret key; 
(dl) checking whether the second random number 
obtained at the step (c4) coinddes with the second 
random number generated aJ the step (bl) at the key 
center; 

(d2) diecklng whether the imilti-value function output 
obtained at the step (c4) is a true output of the multi- 
value function at the key center by inputting the first 
random immber obtained at tiie step (a3) into the 
multi-value function and con^>aring the multi-value 
function output obtained at the step (c4) with the 
multiple outputs of the multi-value function; (d3) con- 
firming the legitimacy of the access firom each user 
terminal at the key center when the stq> (dl) confirms 
that the second random number decq>hered at the step 
(c4) coinddes with the second random number gener- 
ated at die step (bl) and the step (d2) confirms that the 
multi-value function ou^ut dedi^ered at the step (c4) 
is the true output of the multi-value^ function; 
(el) endphedng the dpha key by using the second 
random number and the multi-value function output 
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obtained at the step (c4) to produce the key distribution 
signal at the key center; 
(c2) transmitting the key distribution signal produced at 
the step (el) from the key center to each user terminal; 
and 

(e3) obtaining the cipher key at each usea: terrainaJ by 
dedpheriag the key distribution signal transmitted at 
the step Cc2) by using the second random number 
obtained at the step (b3) and the multi-value function 
output obtained at the step (cl). 

11. A dirtier key distribution system, comprising; 
a key center having a cipher key to be distributed; 
a plurality of user terminals connected with the key center 

through a public network; 
key request means, provided in each user terminal, for 
transmitting a key request signal containing a first 
random number generated at each user terminal, from 
each user terminal to the lay center, so as to indicate 
the dpher key required at each user terminal to the key 
center; 

terminal check means, provided in the key center, for 
transmitting a terminal check signal containing a sec- 
ond random number generated at the key center, from 
the key center to each user terminal; 

terminal response means, provided in each user terminal, 
for transmitting a terminal response signal conta inin g 
the second random number and a value based on the 
first random number obtained according to the first 
random number generated at each user terminal and the 
second random number contained in the texminal check 
signal, from each user terminal to the key center; 

check means, provided in the key center, for checking the 
second random number and the value based on the first 
random number contained in the terminal response 
signal, according to the second random number gener- 
ated at the key center and the first random number 
contained in the key request signal, so as to confirm a 
legidmacy of an access from each user terminal; and 

key distribution means, provided in the key center, for 
transmitdag a key distribution signal containing the 
cipher key requested by the key request signal, from the 
key center to each user terminal, only when the legiti- 
macy of the access from each user terminal is con- 
firmed by the check means. 

12. The system of claim 11, wherein the key request 
means produces the key request signal by enciphcriag the 
first random number by using a public lay. and the key 
center obtains the first random number by deciphering the 
key request signal by using a secret key corresponding to the 
public key. 

13. The system of daim 11. wherein the temrinal dieck 
means produces the terminal check signal by enciphering the 
second random number by using the first random number 
contained in the key request signal, and each user terminal 
obtains the second random number by deciphering the 
terminal check signal by using the first random numbo' 
generated at each user tenninaL 

14. The system of claim 11, wherein the terminal response 
means produces the terminal response signal by enciphering 60 
the second random number contained in the terminal check 
signal and the value based on die first random number by 
using a public tey. and the key center obtains the second 
random number and the value based on die first random 
number contained in the terminal response signal by deci- 
phering the tciminal response signal by using a secret key 
corresponding to the public key. 
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15. The system of claim 11. wherein the terminal response 
means obtains a multi<value function output as the value 
based on the first random number by inputting the first 
random numbn into a mulri-value function and selecting 
one of multiple outputs of the multi-value function. 

16. The system of daim 15. wherdn the check means 
checks the value based on the first random number by 
inputting the first random number contained in the key 
request signal into the multi-value function and comparing 
the value based on the first random number contained in the 
terminal response signal with the multiple ou^uts of the 
multi-value function. 

17. The system of claim 11, wherdn the terminal response 
means u ses the first random number itself as the value based 
on the first random number. 

18. The system of claim 11, wherein the key distribution 
means produces the key distribution signal by enciphmng 
the dpher key by using the second random number gener- 
ated at the key center and the value based on the first random 
number contained in the terminal response signal, and eadi 
user terminal obtains the cipher key by dedphering the key 
distribution signal by using the second random number 
contained in the terminal dieck signal and the value based 
on the first random number obtained at each user terminal 

19. The system of claim 11, wherein the key distribution 
means produces the key distribution s^nal by endphoing 
the dpher key by using any one of the first random number 
contained in the key request signal, the second random 
numba: generated at the l^y center, and the value based on 
the first random number contained in the terminal response 
signal, and each user terminal obtains the dpher key by 
dedphering the key distribution signal by using any one of 
the first random number generated at eac^ user terminal, the 
second random niunber contained in the terminal check 
signal, and the value based on the first random number 
obtained at each user terminal. 

20. A dpher key distribution system, con^rising: 

a key center having a dpher key to be distributed; and 
a plurality of user terminals connected with the key center 

tbrou^ a public network; 
wherdn each user terminal indudcs: 

means for transmitting a key request signal to the ksy 
center, receiving a terminal check signal from the 
key center in response to the key request signal, 
transmitting a terminal response signal to the key 
center in response to the terminal dieck signaL and 
receiving a key distribution signal from the key 
center in response to the terminal response signal; 

means for generating a first random number; 

means for producing the key request signal containing 
the first random number, for indicating the dpher 
key required at each user terminal; 

means for obtaining a second random number from the 
terminal check signal recdved from the key center; 

means for obtaining a value based on the first random 
number; 

means for producing the terminal response signal con- 
taining the second random number contained in the 
terminal check signal and the value based on the first 
random number; and 
means for obtaining the dpher key from the key 
distribution signal received from the key center, and 
wherein the key center indudes: 

means for recdving the key request signal from each 
user terminaL transmitting the terminal check signal 
to eadi user terminal in response to the key request 
SignaL receiving the terminal response signal from 
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each user texminal in response to the tenmoal check 
signal, and transmitdng the key distribution signal to 
each user terminal in response to the terminal 
response signal; 

means for obtaining the first random number from the 5 
key request signal received ftom each user terminal; 

means for genoatiog the second random number; 

means for producing the terminal check signal contain- 
ing the second random number; 

means for obtaining the value based on the first random lo 
number and the second random number from the 
terminal response signal received from each user 
terminal; 
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means for diecking the second random number and the 
value based on the first random number contained in 
the terminal response sig^ial, acc^ffding to the second 
random number generated at the key center and the 
first random number contained in the key request 
signal, so as to confirm a legitimacy of an access 
from each user tenninal; and 

means for producing the key distribution signal con- 
taining the cipher key requested by the key request 
signal, only when the legitimacy of the access from 
each user terminal Is confirmed by said means for 
diecking. 

* 41 * ]|[ « 
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[57] ABSTRACT 

The invention relates to a method and a device for 
protecting software delivered to a user by a supplier. 
The method amounts to rendering the programs non< 
executable in the state in which they have been deliv- 
ered to the users. With each program (P,) there is associ- 
ated a validation key defmed via a main validation key 
(V () delivered by the supplier and recorded in a storage 
area (M) of the user's machine (1), and via a supplemen- 
tary key {y',) computed on the lever ofa card (C) issued 
to the user via a secret code (S) and via arguments (b,) 
that identify each program (P/) and are recorded in a 
storage area (Ml) of the card (C). 

8 Claims, 1 Drawing Figure 
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METHOD AND DEVICE FOR PROTECTING 
SOFTWARE DEUVERED TO A USER BY A 
SUPPLIER 

This is a continuation of application Ser. No. 698,261. 
filed Feb. 5, 1985, {now abandoned) which in turn is a 
continuation of Ser. No. 476.494, filed Mar. 18. 1983 
(now abandoned). 

BACKGROUND OF THE INVENTION 

Field of the Invention 

The invention relates generally to a method and a 
device for protecting software and is more particularly 
aimed at providing a method and a device by means of 
which a supplier who delivers software to a user re- 
mains in control of this software by rendering it non- 
executable in the fonn in which it is delivered, the exe- 
cution of said software being under the control of a 
validation key delivered to the user by the software 
supplier. 

Deflnitions 

At the outset, the expressions "software", "software 25 
protection" and "non-executable software" will be de- 
fined. 
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I. Software and software protection 

Software is understood to be at least one program in 
the conventional sense and, more generally, a set of 
programs. Generally, the organization of a software 
system associated with a data processing machine is 
such that a minimum of protection is given to the pro- 
grams as a result of procedures made available by the 33 
operating system of the machine. Thus, the user pro- 
gram and system programs benefit from a mutual pro- 
tection, each program having an assigned memory 
space which cannot be accessed by the other programs. 
As a matter of fact, such protection is inherent in the 40 
satisfactory management and smooth operation of a 
computer center. 

The software protection provided by the invention is 
located ,at a different level. More specifically, the point 
in question is to give the software supplier a maximum 43 
guarantee as to the diffusion of this software. In other 
words and within the spirit of the invention, it is not a 
question of giving the software a protection in the sense 
of a literary and artistic property by seeking to protect 
the very content of the software, but it is a question of 50 
giving the owner of a software protection with respect 
to a potential user by giving him the means of ensuring 
that only this user will be able to use said software. 

Indeed, from the moment a suppler negotiates with a 
potential user the rental or sale of a program, this sup- 55 
plier heretofore has not had any means of checking as to 
the use of this program by said user. Because of that, 
this user has heretofore very easily been able to take the 
place of the supplier to deliver, in his turn, the program 
to another user. 60 

2. Non-execuuble software 

GcneiBlly, any program is not directly executable by 
a data processing machine. Indeed, a program must 
undergo several transformations prior to its execution. 63 
Within the spirit of the invention, the program, even 
after undergoing tite aforesaid transformations, will still 
remain non-executable. 



Still within the spirit of the invention, this notion of 
non-execution of a program is not to be associated with 
a notion of secret. As a matter of fact, it h not a question 
of prohibiting the knowledge of the program to the 
user, but 10 control the use of this program by this user. 

According to the invention, the .supplier is thus in- 
duced to give to any potential user an incomplete or 
scrambled program and a1 lea.st one validation key that 
will enable him to execute the program. 

SUMMARY OF THE INVENTION 

Therefore, the invention proposes a method of pro- 
tecting software consisting of programs, the owner or 
supplier of these programs being induced to negotiate 
these programs with potential users who have at least 
one data processing machine on which these programs 
can be executed. So as to enable the supplier to remain 
in control of the diffusion of these programs once they 
have been issued to the users the invention comprises 
the steps of: 

rendering non-execuiable the programs in the state in 
which they have been delivered to the users; 

issuing to each user at least one portable carrier such 
as a card comprising at least processing circuits and a 
storage area where a secret code known only to the 
supplier and peculiar to each user has been recorded; 
and 

for each user, associating with each program a key of 
predetermined validation deftned in accordance with 
the program and with the secret code contained in the 
user's card, for the necessary transformation of said 
program into an executable program once the card is 
coupled or connected to the user's machine. 

According to another feature of the method of the 
invention, the aforesaid validation key is defined, on the 
one hand, via a main validation key issued by the sup- 
plier and available on the user's machine and, on the 
other hand, via a supplementary key of computed vali- 
dation on the level of the card issued to the user, via the 
secret code and via arguments of identiftcation that are 
peculiar to each program and which have been re- 
corded in the storage area of the card. 

According to another important feature of the inven- 
tion, the method comprises the steps of keeping the 
same argimients for the same program regardless of the 
user of this program; and giving a main validation key 
which is different, on the one hand, for each program 
delivered to a user and. on the other hand, for the same 
program delivered to another user. 

The interest of such a method resides especially in the 
invoicing by a supplier of the software sold or rented to 
a user. In other words, a supplier can possess a library of 
n programs which can be sold or rented to a user who, 
through payment, will enter into possession of all or 
part of said library. 

Thus, the supplier will deflne a validation key for 
each program chosen by a user and will issue a card 
which is unique to said user and in which a secret code 
has been recorded known solely to the supplier and 
unique to the user. By means of this validation key and 
the secret code, as described earlier, each prograni can 
be rendered executable. It will be understood, of course, 
that once a program has been rendered executable, it 
can be stored in the primary storage memory of the 
machine and can be reused directly without again catl- 
ing upon the protection procedure according to the 
invention, but this procedure will again be used each 
time the program is reloaded in the primary storage. 
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BRIEF DESCRIPTION OF THE DRAWINGS 

Other features, advantages and details will be more 
readily uiiderstcxid by reference to the explanatory 
description given hereinbclow in conjunction with the 5 
accompanying schematic drawing given by way of 
example and which illustrates schematically the princi- 
ple of the method according to the invention. 

DESCRIPTION OF THE PREFERRED 
EMBODIMENTS 

Let it be assumed that a person has a library of pro- 
grams (P|. . . P,-. . . Pn). This person, who may be a 
supplier, i& likely to rent or sell these programs to poten- 
tial users who have at least one data processing machine 1 ^ 
on which these programs can be executed. 

Before explaining in detail the method of the inven- 
tion, which henceforth will enable this supplier to check' 
the diffusion of the programs delivered to users, the 
physical means which are indispensable for the execu- 20 
tion of the method and the nature of the data processed 
thereby will be described briefly. 

Now, referring to the drawing, a data processing 
machine (1) of a potential user of the programs (Pi- . . 
■ Pi. Fn) comprises at least one memory (M), circuits (2) 25 
for controlling and processing the data stored in the ' 
memory (M), and an input/output device (3). 

The memory <M) is designed to contain: 

at least one program (P,-> of the library of programs 
(Pi- . . P,'. . . P„) for the purpose of executing it by the 30 
machine (1); 

a master main subprogram (SPP) issued by the sup- 
plier, and 

main validation keys (Vj. . . V,-. , . V^) at the rate of 
one key per program. These predetermined keys are 35 
issued by the supplier and are designed to be associated 
with supplementary validation keys (V'l, . . . V',-, . . . 
V'„) as will be explained hereinbclow. 

The control and processing circuits (2) are conven- 
tional with specificities peculiar to the type of machine 40 
employed. 

In addition to this data processing machine (1), a 
potential user must possess , the following auxiliary 
equipment: 

at least one portable carrier such as a card (C) issued 45 
by the supplier and designed to cooperate with the 
machine (1); and 

a card reader (LC) coupled to the machine (1) by 
means of the aforsesatd input/output device (3). 

The card (C) which is specific to a given user com- 50 
prises as least: 

one memory (Ml) in which are recorded: a secret 
code (S); 

a computer subprogram (SPC); and a Ubie (TB) con- 
taining a set of arguments (b|, . . . b/^ . . . bm) to identify 33 
the programs (Pi, . . .Ph... Pn); and processing circuits 
(4) which enable the computer subprogram (SPC) to be 
executed. 

The reader (LC) is essentially designed to ensure the 
transfer of the data between the machine (1) and the 60 
card (C). The circuits making up said reader are con- 
ventional and do not have any special features, i.e. the 
card reader is a conventional prior art device. 

In accordance with the invention, the execution of 
each program (P|. . . P(. . . Pa) is under the supervision 65 
of a validation key which is unique to the program and 
to the user. Thus, each program is under the supervision ' 
of a validation key which, in actual fact, consists, with 
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respect to the machine (1), of a main predetcrmined- 
validation key (V) and, with respect to the card (C), of 
a supplementary validation key (V) computed before 
the execution of the program. 

The supplementary validation key (V) is computed 
by the processing circuits (4) of the card (C) which 
execute the computer subprogram (SPC). This subpro- 
gmm (SPC) takes into account the secret code (S) re- 
corded in the memory (Ml) of the card (C) and at least 
one identification argument (b/) peculiar to each pro- 
gram (P,) and determined by the supplier. 

A card (C) is issued to the user and all the identifica- 
tion arguments (b|. . . b,. , . b„) of the programs (P|. . . 
Py. . . P„) are prerecorded in the table (TB) stored in the 
memory (Ml) of the card (C). Each identification argu- 
ment (hi) is, for example, an alphanumerical data item, 
and each program can be identified by one or more 
arguments. It is important to note that the identification 
arguments of the programs are preferably identical for 
all the potential users of the programs. 

The addressing of the identification argumenl(s) (bi . . 
. b,. . ■ hm) of a program (P,) for computing the supple- 
mentary validation key (V) is effected by means of 
identification parameters (ai. , . a,, . . a^) contained in 
each program and transmitted to the card (C) prior to 
the execution of the program. 

In order to limit the storage area occupied by the 
table (TB) in the memory (Ml) of the card, it is advanta- 
geous to identify each program by at least two identifi- 
cation arguments. In this way, it is not necessary to 
store as many identification arguments as there are pro- 
grams. By way of example, if the table (TB) contains m 
arguments (bi) with m^n (n being the number of pro- 
grams) and if each program is identified by two argu- 
ments, it is possible to address C^n programs. 

The main validation key (V) on the side of the ma- 
chine (1) is given by the supplier who, knowing the 
secret code (S) of the card (C) issued to the user and the 
identification arguments (b|. . . b/. . . bm) of each pro- 
gram (Pj. . . P,-. . . Pfl), can known in advance the value 
of the supplementary validation key (V') and can thus 
determine the value of the associated main validation 
key (V), said two keys (V) and (V') being combined by 
the subprogram (SPP) in order to render the associated 
program executable. 

The manner in which the program is rendered non- 
executable is not unique and the chosen solution does 
not modify the principle of the invention from the mo- 
ment when the execution of the program is supervised 
by a validation key with two levels (V. V), such as 
defined above. Each program (Pi. . . P,. . . P„) can be 
rendered non-executable or scrambled total partially. 

To explain the method of the invention, let us assume 
a user who desires to acquire the program (P^) of the 
library of programs (Pj. . . P,: . • Pn), each of said pro- 
grams being rendered non-executable in the state in 
which it has been delivered. 

The supplier will issue to this user: 

a program tape or disk containing the set of programs 
(Pi. ..Pi... P«); 

a card (C) such as defined above and containing in 
particular a secret code (S) unique to this user; 

the aforesaid subprogram (SPP) which will be re- 
corded in the memory (M) of the user's machine (1), and 

the main validation key (V/) peculiar to the program 
(P/) and which will likewise be recorded in the memory 
(M) of the machine (1) or contained in the program (P;). 
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When the user desires to execute the program (P/), he 
loads, first of all, this program (P,) in the memory (M) of 
his machine (J) by means of the program disk given by 
the supplier. TTiereupon, the operating system of the 
machine <1) subjects this program (P,) to the conven- 5 
tional transformations which are inherent in putting this 
program (P|) in a state of execution. In accordance with 
the invention, even after undergoing these transforma- 
tions, the program (P,) is always non-executable. 

To render it executable, the user will introduce the 10 
card (C) associated with his machine (1) into the reader 
(LC) which is coupled to the machine (1). 

Let it be assumed that the program (P,) is only scram- 
bled in part. Referring to the drawing, let us assume that 
the program (P,) contains a scrambled instruction, to 15 
wit. the Instruction code for the instruction (I/), In these 
conditions, the previous instructions (It) to {U) will be 
executed normally and the instruction (1,-1) which 
precedes the instruction (I/) will reroute to the subpro- 
gram (SPP), supplying at least one identification param- 20 
eter (a;) of the program (P/). 

The master or main subprogram (SPP) is executed 
and at the level of its instruction (Jj) ensures an alter- 
nate routing to the card (C) by means of the input/out- 
put device (3) under the supervision of the control cir- 25 
cuits (2) of the machine (1). The subprogram (SPP) 
sends to the card (C) the identification parameter (a/) in 
order to address at least one identification argument (b/) 
of the table (TB) recorded irt the memory (MI) of the 
card (C). At the level of the card (C) the computer 30 
subprogram (SPC) which takes into account the argu- 
ment (b/) of the program (P/) and the secret code (S) of 
the card for the computation of the supplementary vali- 
dation key (V',) by means of the processing circuits (4) 
of the card (C) is then executed. 35 

Once the supplementary validation key (V'/) of the 
program (P;) has been calculated, the value of the said 
key (V,) is sent back by means of the reader (LC) and 
the input/output (3) circuit of the machine (1) to the 
main subprogram (SPP). The instruction (J/) of the 40 
subprogram (SPP) will take this supplementary valida- 
tion key (V'i) into account as well as the main validation 
key (Vi) which has been prerecorded in the memory 
(M) of the machine (1) and is associated with the pro- 
gram (P,). By means of these two validation keys (V„ 45 
V'i), the main subprogram (SPP) will unscramble the 
instruction (I/) for the program (P,). By way of example, 
the two keys (V,) and (V'i) can be binary configurations 
with p bits with the subprogram (SPP) which executes 
a logic opCTation such as "EXCLUSIVE OR" upon 50 
these two binary configurations, the result of this logic 
operation giving the instruction code of the instruction 
m for the program (P/). In this way. the instruction (I>) 
for the program (P/) is unscrambled and the program 
(Pi) can then be executed in its entirety. 55 

According to another feature of the invention, the 
same user can possess a single card (C) for several ma- 
chines (1). In this case, the same program cannot be 
applied simultaneously to several machines, because the 
user's card must remain coupled to one machine in 60 
order to ensure the execution of the program on said 
machine. 

Needless to say that a user can purchase the same 
program several times, say, twice. He will then have to 
have two different cards in order to apply the same 65 
program simultaneously to two machines. 

Finally, if one card is issued for the possible execution 
of m programs among n available programs and if the 
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user desires to obtain the execution of other programs 
that have not been purchased initially, it is not neces.sary 
for the supplier to issue another card to him. It suffices 
that the supplier simply supply the main validation key 
of the new program{s) without having to modify the 
card thai has already been issued. 

To enable the supplier of the programs to remain in 
control of their diffu-sion, it is tmportanl thai the data 
recorded on the level of each card cannot be accessed 
from the outside in order (o avoid any fraud. 

While the invention has been described in connection 
with a particular embodiment, this description is not 
intended to be by way of limitation and resort should be 
made to the appended claims which define the full 
scope of the invention. 
I claim: 

I. A system for protecting software programs (P/. . . 
, P,-, . . . Pn) adapted to be executed on a data processing 
machine (1) of a user of the software programs, said 
machine having at least one memory (M), control and 
processing circuits (2), and an input/output device (3), 
the system comprising: 
a card (C), specific to the user, possessing at least one 

memory (Ml) and processing circuits (4),' and 
a card reader (LC) coupled with the input/output 
device (3) of the machine (1) and with the card (C) 
to enable data transfer therebetween; the memory 
(M) of the machine (1) containing at least one pro- 
gram (P,) deHvered by a supplier of the software 
programs, the one program including an identifica- 
tion parameter (a,) which identifies the one pro- 
gram and having a scrambled portion which ren- 
ders the one program non-executable on the ma- 
chine, containing a main validation key code (V/), 
specific to the one program, issued by the supplier, 
and containing a master program (SPP); the mem- 
ory (Ml) of the card (C) containing at least one 
secret code (S) specific to the user and known only 
to the suppler, and identification arguments which 
identify the programs, at least one of said identifi- 
cation arguments (b,) identifying said one program, 
the card having means responsive to the identifica- 
tion parameter, (ay) contained in the one program 
(P;) for addressing said identification argument (b/), 
and the processing circuits (4) of the card having 
means for computing a supplementary validation 
key code (V,) from the secret code (S) and the 
addressed identification argument (b/) of the pro- 
gram (Pi) and for transferring the supplemenury 
validation key code to the machine; and wherein 
the master program (SPP) is formed to combine the 
supplementary validation key code (V'/) and the 
main validation key code (V,-) for unscrambling the 
scrambled portion of the program (P/) and render- 
ing the program executable. 
2. A method of protecting software programs (Pi, . . 
P(, . . . Pn) delivered by a supplier to prospective users, 
each user possessing a data processing machine (1) on 
which said programs can be executed, the method com- 
prising: 

prior to delivery to a user rendering the programs 
' ' nonexecutable in the state in which the programs 
arc delivered, said rendering comprising scram- 
bling a portion of each program (P^) such that a 
predetermined validation key (V;, V'/) is required 
for unscrambling the program (P,) to transform it 
into an execuuble state, said predetermined valida- 
tion key comprising a combination of a main vali- 
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dation key (V/> and a supplemencary validation key 
(V/). the main validation key being defined in ac- 
cordance with the program (P,) and a secrel code 
(S) which is unique to the user and known solely lo 
the supplier, and the program (P/) having an identi- 
fication parameter (a,) which identifies the pro- 
gram; 

coupling to the user's machine a portable card having 
processing circuits (4) and a storage area (Mj) in 
which are recorded the user's unique secret code 
and identification arguments (b|. . . . b,, . , . b„) 
which are associated with the identtfication param- 
eters (ai, . . . a„ . . . a„> of the programs (Pi, . . . P., 
. . . P„): 

storing in a memory (M) of the user's machine the 
program (P,) and the corresponding main valida- 
tion code (V/); 

transferring to the card the identification parameter 

(a;); 

producing in the processing circuits of the card the 
supplementary validation key (V/) for the program 
as a function of the secret code and an associ- 
ated identification argument (by) and supplying said 
supplementary validation key to the user's ma- 
chine; 

combining in the user's machine, the main validation 
key and the supplementary validation key to pro- 
duce the predetermined validation key; and 
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which differs from the main validation key for the 
same program (P,) delivered to another user. 

4. The method as defined in claim 3, wherein said 
prerecording further includes: 

prerecording in the storage area of the card the iden- 
tification arguments (b| b/, . . . b„) of the pro- 
grams in the form of a table (TB); and wherein the 
card is formed to permit addressing of at least one 
said identification argument (b,) of the program (Py) 
by means of at least one associated identification 
parameter (a,) which is transferred to the card by 
the user's machine. 

5. The method as defined in claim 2 comprising: 
recording in the memory of the user's machine a main 

subprogram (SPP); 
said subprogram (SPP) being formed to transfer the 
identification parameters (a,) to the card (C), for 
addressing said identification arguments (b,), to 
receive from the processing circuits (4) of the card 
(C) the supplementary validation key {V'/> pro- 
duced from the arguments (b/) addressed by the 
identification parameters (a/) and from the secret 
code (S) of the card (C), and to combine said sup- 
plementary validation key (V',> with the main vali- 
dation key (V/) of the program (P/) to be executed 
in order to produce said predetermined validation 
key and render said program executable. ■ 
6. The method as defined in claim 2, wherein said 
scrambling comprises rendering at least one instruction 
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applying the predetermined validation key to the Program non-executable through scrambling of 



program (P/) to unscramble the program (P,) and 
transform it into an executable state. 
3. The method as defined in claim 2 further compris- 
rtg: 

prerecording in each user's card prior to delivery of 
the card to the user identical identification argu- 
ments (b,) for identifying the same program regard- 
less of the user of said program, and 
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an instruction code of the instruction. 

7, The method as defined in claim 6 further compris- 
ing forming each main validation key (V,) and each 
supplementary validation key (V',) as a binary configu- 
ration with p bits. 

8. The method as defined in claim 7, wherein, for the 
purpose of unscrambling the instruction code, the 
method further comprises forming the main validation 
key (V,) and the supplementary validation key (V',> so 



for each program (P,) delivered to the user and • » ^pcrauon 
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